Spy agencies more interested in stockpiling bugs than closing the gaps

WikiLeaks' dump of CIA hacking tool documents on Tuesday has kicked off a debate among security vendors about whether intel agencies are stockpiling vulnerabilities, and the effect this is having on overall security hygiene.

The leaked documents purport to show how the intel agency infiltrates smartphones, PCs, routers, IoT gear, potentially smart TVs, and other gear, using a range of hacking tools, as previously reported. These capabilities are hardly surprising to anyone who remembers the disclosures from former NSA contractor Edward Snowden back in 2013.

The CIA's abilities are more aligned toward targeted attacks rather than mass surveillance and bulk data collection – the stock in trade of the NSA, GCHQ and other signals intelligence agencies.

Still, it means the spy agency has a stockpile of vulnerabilities in hardware and software for a future exploitation, and it is unlikely to share details of these bugs with vendors in case the programming flaws are patched, according to security watchers.

Mikko Hypponen, chief research officer of security software firm F-Secure, commented: "In countries like the US, the intelligence agencies' mission is to keep the citizens of their country safe. The Vault7 leak proves that the CIA had knowledge of iPhone vulnerabilities."

"However, instead of informing Apple, the CIA decided to keep it secret. So the leak tells us a bit about how the CIA decided to use its knowledge: it considered it more important to keep everybody insecure than protecting its citizens from the vulnerability, and maybe use the vulnerability for its own purposes or counter terrorism purposes."

Slawek Ligier, VP of security engineering at Barracuda, argued CIA hacking could be working against its wider national interest.

"If the CIA knows of the specific exploit, chances are that the MI6, FSB, MSS, and Mossad are aware of it as well," Ligier said. "Not working on closing the gap and hoping that we will be the only ones able to exploit it puts all of us at risk. And frankly, the United States has much more to lose through potential industrial espionage than other countries."

Not all experts agree that the CIA is stockpiling vulns. "The government doesn't 'hoard' zero days. It uses zero days, it doesn't have a cache of zero days it isn't using," according to Rob Graham of Errata Security. Graham added that the agency buys rather than finds unpatched vulnerabilities, so critics are actually arguing that the government should spend millions on vulnerabilities in order to disclose them to vendors.

The CIA is yet to either confirm or deny the authenticity of the leak, but former spy agency boss Michael Hayden has decried the release – if confirmed – as "damaging" to the techniques and tactics used by the the CIA to conduct legitimate foreign intelligence, thereby making Western countries less safe. What's been exposed is at least consistent with what we know about the CIA's likely capabilities and experts are taking it seriously.

"The CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open," said Edward Snowden in a Twitter update. "Reckless beyond words."

Security pundits fear that information exposed in the release will allow cybercriminals and less capable nation states to up the ante.

Richard Henderson, global security strategist at computer forensics outfit Absolute, said: "What's especially scary about the dump, and the exploits behind them, is that it appears the CIA may have lost control of all the tools at their disposal ... meaning that it is entirely likely that all of these exploits, vulnerabilities, tools, and malware are now in the hands of foreign governments or cybercriminals. In fact, the CIA's own documents show that they have been sharing selected exploits to other 'friendly' foreign governments for their own purposes.

"These developments are troubling for many reasons. First, the fact that a government intelligence agency has been actively purchasing, developing, and distributing critical vulnerabilities in ubiquitous consumer devices forces us to ask some very hard questions about the levels of oversight these agencies have right now. Second, this incident makes it crystal clear to me that the government push to mandate or legislate backdoors into devices (which Apple pushed back on recently) can never be successful. These backdoors will leak out into the open, making it entirely likely that agencies not friendly to the West will also take advantage of these vulnerabilities," Henderson warned.

Craig Fagan, policy director at the Web Foundation, said: "Governments should be safeguarding the digital privacy and security of their citizens, but these alleged actions by the CIA do just the opposite. Weaponizing everyday products such as TVs and smartphones – and failing to disclose vulnerabilities to manufacturers – is dangerous and short-sighted. It puts people around the world at risk of attack from hackers and repressive regimes, and this leak itself shows just how likely such tools are to spread beyond the organization that developed them."

Some vendors hoped the release would help spur the development of patches from Apple, Google and other affected vendors.

From Casey Ellis, chief exec and founder of bug bounty outfit Bugcrowd: "In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting. Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches.

"The net outcome over the long term is actually a good thing for Internet security – the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result – but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc, a period of actively exploitable 0-days bouncing around in the wild," Ellis concluded.

Absolute's Henderson added: "I hope that if the technical details of the exploits become more and more in the open, device manufacturers will be quick to respond with updates and remediation steps to protect customers."

Wikileaks, the CIA, and the original exploit authors have combined to provide the same knowledge as the "good old days" of full disclosure – but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves, according to Bugcrowd's Ellis.

"It's only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to a proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits – and the risk those vulnerabilities create for the Internet – will become less and less common," Ellis concluded. ®